regarding ipv6

David Edelman dedelman at iname.com
Fri May 23 15:23:11 EDT 2014 

Carter,
 
I think that James is asking about printing the IPv6 addresses in canonical form rather than in compressed form i.e.: don’t suppress any leading zeros and don’t use :: notation.
 
--Dave
 
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
Sent: Friday, May 23, 2014 11:10 AM
To: James Grace
Cc: Argus
Subject: Re: [ARGUS] regarding ipv6
 
Hey James,
Not sure what you mean by truncated addresses.
 
If you are printing ascii and feeding the record to something else, the default for the ra* programs is to use a FIXED_WIDTH algorithm. byiu can configure your saddr and daddr fields with larger fixed width buffers in your .rarc or on the command line.
 
   ra -s saddr:32 daddr:32 .....
 
Print with a diffent field separator than ' ' to get non-fixed fields, or configure your .rarc file to print with cariable length fields.  The fixed widthe is for commandline and terminal oriented apps to make it look orderly.
 
     ra -c , 
 
ralabel and radium can label IPv6 addresses with ASN's using the GeoIP databases.  That should work pretty well, checkout the ralabel.1 man page.
 
Carter



On May 23, 2014, at 10:16 AM, James Grace <jgrac002 at fiu.edu <mailto:jgrac002 at fiu.edu> > wrote:
Thanks a bunch, Carter,  does Argus store, or have the capability to, the full 128bit record of an IPv6 address?  I'd like to be able to use ralabel to assign ASNs to v6 records, but it's having difficulty with the truncated addresses. 
 
Thanks much for all the help!
-james
 
 
On Wed, May 21, 2014 at 6:06 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com> > wrote:
Oh, and if you supply an ipv6 address in a filter,
you’ll find that we realize we’re working with ipv6
and do the right thing.

So first this first example passes an ipv6 address.
We’ll grab the flow DSR (dsr[1]) and grab the second
byte in the header and try to find out if its ipv6
(0x02).  Then we build a big ole 128 bit ipv6 address
to match.

thoth:~ carter$ ra -b - src host 1::16
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x2             jt 3    jf 11
(003) ld       dsr[1][16]
(004) jeq      #0x16000000      jt 5    jf 15
(005) ld       dsr[1][12]
(006) jeq      #0x0             jt 7    jf 15
(007) ld       dsr[1][8]
(008) jeq      #0x0             jt 9    jf 15
(009) ld       dsr[1][4]
(010) jeq      #0x100           jt 14   jf 15
(011) jeq      #0x4             jt 12   jf 15
(012) ld       dsr[1][12]
(013) jeq      #0x100           jt 14   jf 15
(014) ret      #150
(015) ret      #0


Here 0x01 is the bit indicator for ipv4, and, we load
up the address.  In this case we’re looking for the
address in arp and in standard ip flows.

thoth:~ carter$ ra -b - src host 1.2.3.4
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3    jf 5
(003) ld       dsr[1][4]
(004) jeq      #0x1020304       jt 8    jf 9
(005) jeq      #0x4             jt 6    jf 9
(006) ld       dsr[1][12]
(007) jeq      #0x1020304       jt 8    jf 9
(008) ret      #150
(009) ret      #0




On May 21, 2014, at 5:58 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com> > wrote:

> Hey James,
> We don’t make a big distinction between ipv4 and ipv6.
> you can always filter on ipv6 by using the filter “ ipv6 “.
>
>   ra -S localhost - ipv6
>
> Aggregation works well, longest prefix match works and CIDR
> works, but they are literal operators, so if you do saddr/64
> on an IPv6 address, it should do the right thing, not sure
> it would be what you wanted …
>
> There is a distinction between ‘icmp’ and ‘icmp-v6’ as filters,
> so a filter like " icmp and ipv6 “ would return nada, as there
> won’t be any matches.
>
> Carter
>
> On May 21, 2014, at 3:25 PM, James Grace <jgrac002 at fiu.edu <mailto:jgrac002 at fiu.edu> > wrote:
>
>> Hi,
>>
>> I have argus purring along smoothly and was wondering if there were filters built in or methods others are using to report on ipv6 traffic solely. I don't see anything in the man pages and the gmane search function is busted so I'm unable to look around on the list archives.
>>
>> Cheers,
>> -james
>
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140523/3aaf8610/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140523/3aaf8610/attachment.bin>

More information about the argus mailing list